CVE-2024-5703: 
WordPress vulnerability analysis and mitigation

The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin is affected by an unauthorized API access vulnerability (CVE-2024-5703). This security issue affects all versions up to and including 5.7.26, and was discovered in July 2024. The vulnerability stems from a missing capability check that impacts the plugin's API functionality (NVD).

The vulnerability is classified as a Missing Authorization issue (CWE-862) with a CVSS v3.1 base score of 4.3 (Medium). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) and no user interaction (UI:N). The scope is unchanged (S:U) with no confidentiality impact (C:N), low integrity impact (I:L), and no availability impact (A:N) (NVD).

When exploited, this vulnerability allows authenticated attackers with Subscriber-level access or higher to manipulate the API functionality (if enabled). Attackers can add, edit, and delete audience users through unauthorized API access (NVD).

Website administrators should update the Email Subscribers plugin to version 5.7.27 or later, which contains the security fix for this vulnerability. The patch has been implemented in the plugin's REST API admin class (WordPress Plugin).